From 12da107c51538f601bda3958eef956602e8ff733 Mon Sep 17 00:00:00 2001
From: Kyle Spearrin <kyle.spearrin@gmail.com>
Date: Mon, 26 Jun 2017 09:09:30 -0400
Subject: [PATCH] web policy for two factor apis

---
 src/Api/Controllers/TwoFactorController.cs | 2 +-
 src/Api/Startup.cs                         | 9 +++++++++
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/src/Api/Controllers/TwoFactorController.cs b/src/Api/Controllers/TwoFactorController.cs
index 7d22687e1c..036f3cc969 100644
--- a/src/Api/Controllers/TwoFactorController.cs
+++ b/src/Api/Controllers/TwoFactorController.cs
@@ -15,7 +15,7 @@ using Newtonsoft.Json;
 namespace Bit.Api.Controllers
 {
     [Route("two-factor")]
-    [Authorize("Application")]
+    [Authorize("Web")]
     public class TwoFactorController : Controller
     {
         private readonly IUserService _userService;
diff --git a/src/Api/Startup.cs b/src/Api/Startup.cs
index f8faa0ceee..77d44eaed1 100644
--- a/src/Api/Startup.cs
+++ b/src/Api/Startup.cs
@@ -79,6 +79,15 @@ namespace Bit.Api
                     policy.AddAuthenticationSchemes("Bearer2", "Bearer3");
                     policy.RequireAuthenticatedUser();
                     policy.RequireClaim(JwtClaimTypes.AuthenticationMethod, "Application");
+                    policy.RequireClaim(JwtClaimTypes.Scope, "api");
+                });
+                config.AddPolicy("Web", policy =>
+                {
+                    policy.AddAuthenticationSchemes("Bearer2", "Bearer3");
+                    policy.RequireAuthenticatedUser();
+                    policy.RequireClaim(JwtClaimTypes.AuthenticationMethod, "Application");
+                    policy.RequireClaim(JwtClaimTypes.Scope, "api");
+                    policy.RequireClaim(JwtClaimTypes.ClientId, "web");
                 });
             });